MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-22 23:07:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #670 from jloehel/darkwatchman

Browse source 
Adds DarkWatchman RAT
This commit is contained in:
Alexandre Dulaunoy 2021-12-17 15:24:00 +01:00 committed by GitHub
commit a0b65dd42c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
clusters/rat.json
View file

@ -3486,7 +3486,18 @@
},
"uuid": "833ed94d-97c1-4b57-9634-c27bf42eb867",
"value": "Guildma"
},
{
"description": "In late November, Prevailions Adversarial Counterintelligence Team (PACT) identified what appeared to be a malicious javascript-based Remote Access Trojan (RAT) that uses a robust Domain Generation Algorithm (DGA) to identify its Command and Control (C2) infrastructure and that utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation. This RAT, which PACT refers to by its internal codename “DarkWatchman”, has been observed being distributed by email and represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools. PACT has reverse engineered the DGA, dynamically analyzed the malware, investigated the Threat Actors (TA) web-based infrastructure, and consolidated the results of our analysis into the following report.",
"meta": {
"refs": [
"https://www.prevailion.com/darkwatchman-new-fileness-techniques/"
],
"synonyms": []
},
"uuid": "35198ca6-6f8d-49cd-be1b-65f21b2e7e00",
"value": "DarkWatchman"
}
],
"version": 36
"version": 37
}